| categories:writeups series:VolgaCTF 2015 Quals
VolgaCTF 2015 Quals - Remote Web, interstellar
Remote Web
This was an easy task. We are asked to connect through ssh onto a box and find a forgotten port on 10.0.1.18. What we found, once we logged into the box, was that almost every program in /bin was deleted/inaccesible except nc. Luckly with nc we can still do a port scan with something like: **nc -zv 10.0.1.18 1-65535 ** and after some time a port was signed as open: 54231.
team@volgactf2015:/$ nc 10.0.1.18 54321
GET /
Nice!
Flag is {NoBeerATm@y1st}
team@volgactf2015:/$
interstellar
This binary had some anti-dbg measures but they were easly bypassable just by breaking on the check that it makes on stat_loc.__uptr and set $rax to 0. Then the binary will do some calculation using the GMP library on our argv[1] char by char. At then end a huge number come up and it will be convert into a binary string. This binary string will be passed as argument to the 0x400b5d subroutine that will perform a transformation against a prefixed binary string:
(01111101001000101000000111101001001011111110010011100111010011000010101101110110100001101011100101001110000000001101000110001011011010101001000000010010001100011001100011001011010101111011110110001100101100101000110011101111101101000110110010101001100100110100010101101111101111011001100011111101)
This function it will return a new binary string that is made by checking char by char the two previous strings . If the two chars are equal a “1” will be added else “0”.
Then the resulting string will be converted back to ASCII format and if it’s equal to “From a seed a mighty trunk may grow.” then we win.
So to solve this we started from the bottom and found the binary string of that string which is:
01000110011100100110111101101101001000000110000100100000011100110110010101100101011001000010000001100001001000000110110101101001011001110110100001110100011110010010000001110100011100100111010101101110011010110010000001101101011000010111100100100000011001110111001001101111011101110010111000001010
Then we made a script that will reverse it following the rules used in the 0x400b5d function and got this binary number:
11000100101011110001000101111011111100000111101000111000110000001011000111101100000111010110011011010000110111110100001100011101111100100000011110011001101101110100011101000000110110100011011100011101001001100101001101111101001010101110101001110110000010111100100011111111001101010100100100001000
Now this number is the one that we have to get from those calculations with GMP library. To find the good string that will make this we made a tiny script that will find it for us:
And that string will be the flag to submit.
Razor4x